Previous Contents Index Next |
iPlanet Directory Server Access Management Edition Administration Guide |
Chapter 3 Policy Management
This chapter describes the policy service management features of iPlanet Directory Server Access Management Edition (DSAME). The Policy Management interface provides a way to view, manage and configure all DSAME policies. This chapter contains the following sections:
The Policy Service
The Policy Service
Every business has a need to protect its resources. This is done by configuring and managing rules that define who can do what to which resource. The DSAME Policy Service allows an organization to set up these rules or policies.Each DSAME service that is written to enforce policies must have a policy schema. A policy schema is a set of rules and all their possible values. In DSAME, a policy schema is defined in an XML document that describes the full range of policy options available for a given service. From the policy schema, an administrator can create named policies, in the Policy Management view, to apply at different levels (role or organization). These named policies, once created, are then assigned to a specific role or organization within the User Management view.
DSAME ships with one policy service, the URL Policy Agent, and one sample mail service. For more information on the sample mail service and writing new policy schema, see the iPlanet Directory Server Access Management Edition Programmer's Guide.
The URL Policy Agent
A URL Policy Agent is a plug-in that enforces web access rules. The URL Policy Agent plugs into the iPlanet Web Server and performs two functions:
Validating a User's Sign On
Once a user has logged in to DSAME, each request to the server will contain a user identification token which, in effect, proves that they have been successfully authenticated. The token is unique for a user on a given server. Once the URL Policy Agent intercepts a user's request, it looks for this token to verify that it represents an authenticated user. If the user is represented properly, the request is passed forward and subjected to the user's URL policy enforcement. If the user is not verified, the user is redirected to the Authentication page. (Similarly, if there is no user identification token at all, the user is redirected to the Authentication page.)
Enforcing URL Access
Once a user's identification is verified, the URL Policy Agent checks the user's URL access policies to find out the user's level of access. The URL being requested can be assigned to one of three attributes that are inherited by every entity in an organization's hierarchy when the URL Policy Agent service is registered. These three attributes are Allow, Deny or Not Enforced.
Allow
The values of these three attributes are obtained from the aggregation of a user's roles.
Deny
- iplanet-am-web-agent-access-allow-list is the attribute that contains all the URLs that an authenticated user is allowed to access.
Not Enforced
- iplanet-am-web-agent-access-deny-list is the attribute that contains all the URLs that an authenticated user is not allowed to access.
- iplanet-am-web-agent-access-not-enforced-list is the attribute that contains all the URLs that are not subjected to URL policy enforcement. However, user authentication is still required to ensure the value of this attribute.
Hierarchy Of Enforcement
In the enforcement of policy, deny privileges takes precedence over allow privileges. An empty Deny list will allow only those resources that are allowed by the Allow list. An empty Allow list will not allow access to any resources except those in the Not Enforced list. If the URL access policy cannot be resolved between the Deny and Allow lists, access will not be allowed to the resource.The following URLs are default values of the Not Enforced option located in the AMConfig.properties file. No authentication is required for this option (named com.iplanet.am.policy.agents.url.notenforcedlist.local):
http://<host>:<port>/amserver/console*
Allowing all users access to these URLs makes user authentication possible. Any edits made to the AMConfig.properties file require a server restart of the agent.http://<host>:<port>/amserver/login*
http://<host>:<port>/amserver/images*
http://<host>:<port>/amserver/admin*
http://<host>:<port>/amserver/docs*
http://<host>:<port>/amserver/logout
http://<host>:<port>/amserver/index.html
http://<host>:<port>/amserver/namingservice
http://<host>:<port>/amserver/loggingservice
http://<host>:<port>/amserver/sessionservice
How the URL Policy Agent Works
Below is a description of how the URL Policy Agent works.
Upon initialization, the URL Policy Agent reads the Not Enforced list from the AMConfig.properties file. Because access to the /login screen is not enforced, the user is able to view the login page.
After successful user authentication, the user's URL access is Not Enforced until the user's URL Policy values are found.
DSAME applies the Deny URLs to the user's URL access.
DSAME applies the Allow URLs to the user's URL access.
The user's policy profile is complete for this authentication session.
Policy Management
Policies are configured using the Policy Management interface. This interface provides a means for:
The Top Level Administrator to view, create, delete and modify policies for a specific service that can be used across all organizations.
In general, policy is created at the organization (or sub-organization) level to be used throughout the organization's tree. In order to create a named policy, the specific policy service must first be registered to the organization under which the policy will be created.An organization's or sub-organization's administrator to view, create, delete and modify policies for specific use by the organization.
Registering Policy Services
Registering a policy service is the same as registering any type of service; it is done within the User Management interface.
Navigate to User Management by choosing View User Management.
Choose the organization for which you would like to create policy.
- When the DSAME console opens, the default interface is User Management.
Choose Services from the Show menu.
- If logged in as the Top Level Administrator, make sure that the location of the User Management interface is the top level organization where all configured organizations are visible. The default top level organization is o=isp.
Click Register in the navigation pane.
- If the organization already has registered services, they will be displayed in the navigation pane.
Select URL Policy Agent checkbox from Register Services.
- A listing of services not yet registered to this organization are displayed in the data pane.
- The URL Policy Agent service is now registered to the chosen organization.
Creating Named Policies
Policies are created through the Policy Management interface. Once a named policy is created, it can be assigned to roles or organizations via the User Management interface.
Navigate to Policy Management by choosing View Policy Management.
Choose the organization for which you would like to create a policy.
- Policies can only be created under an organization if that organization has first registered the URL Policy Agent service. See Registering Policy Services above.
Choose Policies from the Show menu.
- Ensure that the location of the Policy Management window is correct for your organization. The default top level organization is o=isp.
Click New in the navigation pane.
- By default, Organizations is visible in the Show menu. All sub-organizations configured, if any, will be visible below it. If creating policies for a sub-organization, choose the sub-organization and then choose Policies from the Show menu.
Type a name for the policy and click Create.
- The New Policy window in the data pane opens. Service URL Policy Agent is selected by default as it is the only policy service available. To add other policy services, see the iPlanet Directory Server Access Management Edition Programmer's Guide.
Choose an action for the URL Policy Service.
- The new policy rule window opens under the policy name created.
Type a resource in the Resource field and press Add Rule for the URL Policy Service.
- The choices Allow, Deny or Not Enforced are explained in "Enforcing URL Access".
Repeat Step 6 and Step 7 to add additional actions to the URL policy.
- Currently, the only resources that can be enforced are http:// and https:// addresses. Wild cards are also supported.
Click Save to complete the named policy's configuration.
- Actions that have already been added to a policy can be deleted by checking the Select box next to the action and pressing Delete.
Assigning Named Policies
Once a policy has been named and created, it can be assigned to the organization or role. This is done using the User Management interface. Assigning a policy at the organization level makes its attributes available to all entries in the organization. Assigning policy to a role makes its attributes available to all users who contain the role attribute.
Assigning Named Policies to an Organization
Navigate to User Management by choosing View User Management.
Choose the organization for which you would like to assign a named policy.
- When the DSAME console opens, the default window is User Management.
Choose Policies from the Show menu.
- Ensure that the location of User Management is correct for your organization. The default top level organization is o=isp.
Select the box (or boxes) next to the unassigned policy (or policies) and click Assign.
- If the organization already has policies assigned to it, they are displayed in the navigation pane. If the Assign Policies interface is not visible, click Assign and all unassigned policies will be displayed in the data pane.
- The chosen policy (or policies) will be displayed in the navigation pane. The policy is now assigned to the organization.
Assigning Named Policies to a Role
Navigate to User Management by choosing View User Management.
Choose Organizations from the Show menu.
- When the DSAME console opens, the default window is User Management.
Choose Roles from the Show menu.
- If the role to which you would like to assign a named policy is in the top level organization, choose Roles from the Show menu and skip to Step 4. (The default top level organization is o=isp.)
Select the role to which you would like to apply a policy.
- All configured roles for the organization are displayed in the navigation pane.
Choose Policies from the Show menu.
- The chosen role displays in the Location field in the uppermost window.
Click Assign to see a list of all unassigned policies.
- If the role already has policies assigned to it, they are displayed in the navigation pane.
Choose the box (or boxes) next to the unassigned policy (or policies) and click Assign.
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated May 09, 2002